Re: Comments on tracking-compliance.html from David Wainberg on 2011-10-26 (public-tracking@w3.org from October 2011)

From: David Wainberg <dwainberg@appnexus.com>
Date: Wed, 26 Oct 2011 17:50:03 -0400
To: Justin Brookman <justin@cdt.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4EA8808B.8060105@appnexus.com>
Maybe out of scope is the wrong term. How about inconceivable?

> "define the scope of the user preference and practices for compliance 
> with it in a way that will inform and be informed by the technical 
> specification." 
This is indeed broad, but my argument would be that legal requirements, 
definitions of consent, etc. are too distinct from the technical 
specification to meet the standard of "inform or be informed by."

> (1) a statement that you are complying with the header (I have 
> expressed flexibility as to how this should look---"DNT honored here" 
> flag may be enough) and 
I propose "a mechanism to deliver a statement regarding intent to comply 
with the header."

> (2) a requirement that permission to ignore the header be clear and 
> prominent are both necessary for the setting to function as intended. 
I propose "a mechanism to provide for or facilitate the acquisition and 
storage of permission to ignore the header."



On 10/26/11 3:45 PM, Justin Brookman wrote:
> You keep using this term, "out of scope."  I do not think it means 
> what you think it means.  The scope of the group is, /inter alia/, to 
> define "specifications for a simple machine-readable preference 
> expression mechanism ('Do Not Track') and technologies for selectively 
> allowing or blocking tracking elements"and to "define the scope of the 
> user preference and practices for compliance with it in a way that 
> will inform and be informed by the technical specification."  The 
> purpose of the group is to delineate that practices that are necessary 
> to meaningfully comply with a DNT header.  I believe that (1) a 
> statement that you are complying with the header (I have expressed 
> flexibility as to how this should look---"DNT honored here" flag may 
> be enough) and (2) a requirement that permission to ignore the header 
> be clear and prominent are both necessary for the setting to function 
> as intended.  Without them, the spec will not work.  I suppose the 
> group could have been chartered to just decide the syntax of what a 
> DNT header looks like, but the scope of the group is broader than 
> that.  This is not a question of "fix[ing] privacy regulation around 
> the world."  This is a question of determining how to comply with a 
> DNT-header instruction.  Determining how consent should be obtained in 
> order to comply with a spec is ordinarily within the scope of a W3C 
> mandate 
> (http://www.w3.org/TR/2010/NOTE-dap-privacy-reqs-20100629/#privacy-consent)
> Justin Brookman
> Director, Consumer Privacy Project
> Center for Democracy&  Technology
> 1634 I Street NW, Suite 1100
> Washington, DC 20006
> tel 202.407.8812
> fax 202.637.0969
> justin@cdt.org
> http://www.cdt.org
> @CenDemTech
> @JustinBrookman
>
> On 10/26/2011 3:00 PM, David Wainberg wrote:
>> I agree that would be a perverse result. It's likely the scenario you 
>> describe would be an unfair trade practice under FTC jurisdiction (in 
>> the US). I agree more broadly that appropriate notice for users is an 
>> issue. I just don't think it's a problem we should try to solve. It's 
>> not our job to fix privacy regulation around the world. We're going 
>> to have to let go a bit, and see what regulatory bodies, users, and 
>> software makers do with the tools we give them. A simple "DNT honored 
>> here" flag in the headers, for example, provides meaningful and 
>> actionable information to users (via the client). Let the client 
>> software decide how to present it to users. Let regulatory 
>> organizations build the rest of the framework around enforcement.
>>
>> On 10/25/11 11:16 PM, Justin Brookman wrote:
>>> Fair enough, but the legal definition of consent is actually incredibly
>>> vague in many jurisdictions, and we may wish to specify a higher
>>> standard for users in those places where the requirements are weak or
>>> unclear.  For instance, it would be a perverse result if a company's
>>> privacy policy could say both "we comply with 'Do Not Track'" and "oh,
>>> by the way, we reserve the right to track you."  One way to avoid the
>>> legal inconsistency problem would be to define "Affirmative Informed
>>> Consent" as AT LEAST in response to a clear and prominent request
>>> separate from other permissions/disclosures.
>>>
>>
>>
Received on Wednesday, 26 October 2011 21:50:28 UTC